Breach Detection by the Numbers: Days, Weeks or Years?

July 26, 2016

The cyber attacks reported by the media continue to highlight a common thread – many of the breaches have gone undetected for weeks, months and sometimes years – take the recent Wendy’s breach for example. We call this the Breach Detection Gap (BDG) or dwell time, and it is defined as the time elapsed between the initial breach of a network by an attacker and the discovery of that breach by the victim.

The latest report from FireEye cites dwell time as 146 days on average globally, and a whopping 469 days for the EMEA region. According to a Trustwave Report, 81% of reported intrusions are not detected by internal security processes but rather by news reports, law enforcement notifications, or external fraud monitoring. Unfortunately, this trend does not show signs of slowing as internal security processes are unable to keep up with increasingly sophisticated and pervasive threats.

A Closer Look at High Profile Breaches

The Wendy’s breach we recently blogged about is a good example. The breach started in the Fall of 2015; was initially reported by branches in February 2016; was announced in May 2016 citing 300 location impacted; with hundreds more of their locations, in fact, breached and only discovered/reported in early July – 1,025 total to be exact. The examples below offer a snapshot of additional high profile real-world attacks and the length of time elapsed before the breach was discovered. These well documented incidents cost the organizations affected millions in losses, regulatory fines, and brand reputation.

Table 1: Breach Detection Gap Examples

Known as “persistent compromises” there are many motives for attackers trying to maintain stealthy long term access to a network. Whereas loud, transient attacks like crypto-locker, web defacement, denial of service, or smash and grabs can be easy to identify due to the immediate effect they have, persistent threats meet their objectives by maintaining stealthy long term access to the network.

Table 2: Persistent vs Non-persistent Compromises

While access may be obtained within seconds or minutes depending on the vulnerability exploited, mapping and navigating a large or complicated network to find the data or individuals the attacker is looking for can many times take days or weeks. Additionally, monitoring users on the newly compromised network for a period of time to learn internal operations is essential to an attacker’s success, as was demonstrated in the Sony attack. This however also gives network defenders an opportunity to disrupt and counter.

Closing the Breach Detection Gap with Threat Hunting

Although the BDG problem is complex, it exists primarily for two reasons:

The growing sophistication of modern attackers.

Current real-time security processes are ineffective at detecting post-compromise activity, especially as time passes after the initial attack.

The BDG problem has become so pervasive that many argue organizations should operate under the assumption that their respective networks will be penetrated if they aren’t already. The U.S. Department of Defense adopted this premise several years ago, and in response, created “hunt teams”, which, at a basic level, consisted of trained incident responders and analysts who proactively and iteratively search critical networks and/or historical log data for signs of a missed compromise.

Threat hunting is differentiated from real-time intrusion detection, which works to prevent or detect attacks early in the attack cycle, by instead utilizing post-compromise detection techniques. Hunting is on the spectrum of incident response activities except it is done proactively, before you know there is a problem. The goal is to reduce the dwell time of attackers and remove them before they can cause further damage.

More from our blog

A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…

In Q1, we released new tools to assist cybersecurity incident responders. One of those new features is a root cause analysis tool, is designed to help IR teams trace the source of suspicious activity or identified threats across their environment. This blog introduces the new root cause analysis (RCA) feature, Activity Trace, and how it…

An Overview of False Positives and False Negatives Understanding the differences between false positives and false negatives, and how they’re related to cybersecurity is important for anyone working in information security. Why? Investigating false positives is a waste of time/resources and distracts your team from focusing on real cyber incidents (alerts) originating from your SIEM.…